CNDP is celebrating its 14th anniversary soon. Its president talks in detail about the main projects of the Moroccan regulator aimed at increasing efficiency and creating a true culture of personal data protection.
An information leak case that targeted the Ministry of Higher Education, Research and Innovation in December 2022 caused a lot of noise. A case that challenges us to the ability of public authorities, as well as private ones, to protect the personal data of Moroccan citizens. Especially when we know that computer attacks have become more frequent in recent years, not only in Morocco, but throughout the world. Let us return to the intricacies of this case, as well as to the current projects of the National Commission for the Control of Personal Data Protection (CNDP), the creation of a center dedicated to health, or the shortcomings of Law 09-08 regarding the protection of individuals in the processing of personal data. The President of the Commission is also returning to ongoing projects that will have to strengthen the role of the regulator.
Several media outlets reported on a recent computer attack on the Ministry of Higher Education. What do you think it is?
First, it would be more correct to talk about leaks or leaks, or rather, the presence of personal data on the dark web, some of which may resemble those handled by the Ministry of Higher Education, Scientific Research and Innovation (MONSI). ). To date, it has not been confirmed that the ministry is the source of these leaks or that it is the only one manipulating this type of data. The instructions are on their way. They need to be managed calmly and serenely, without hasty conclusions and without excessive zeal. We have responsible institutions. Our goal is to facilitate the implementation of solutions, and not just point the finger at this or that potential malfunction.
How did the CNDP handle this case and did you observe any hiccups from the ministry?
The CNDP quickly contacted the MESSI, who responded very quickly. The exchange was launched over the weekend and several meetings were held in the following days. To fully understand, it is necessary to know that there are different levels of compliance, including legal, organizational and technical. Legal level means that you have made to the CNDP and in accordance with the requirements of law 09-08 statements or requests for prior authorization, and this is before the processing of personal data. The level of compliance materializes the obligations that a data controller must assume in order to comply with Law 09-08. After that, the latter must fulfill its obligations at the organizational and technical levels. For example, at the organizational level, he should not leave paper documents containing personal data anywhere, at the risk of seeing them with dried fruit merchants or others. With regard to MESDIR, the CNDP noted non-compliance with the law, as the processing of personal data on the portal Tawjihi.ma was not notified to the CNDP before they were carried out. It should be noted, however, that the MESDIR subsequently decided to terminate these procedures and initiate steps to bring them into line.
What is the ministry risking because of this failure?
Without prejudice to further action to be taken following the observation of this legal breach, MESSI and CNDP have signed an agreement on Data Tika. The Ministry has committed to harmonize all its processing of personal data within a period not exceeding 31 January 2023. We see that there are not only disadvantages. We want to turn all of this into a great opportunity that will increase compliance with Law 09-08 throughout the higher education ecosystem. This agreement was signed on December 30 in the presence of all rectors of state universities.
This case challenges us with regard to the level of confidentiality of personal information held by government agencies and Moroccan companies. Are they sufficiently protected from cybercrime?
You know, I refer quite often to essayist Paul Virilio, who basically said that by inventing the train, we created the railroad accident. By inventing the airplane, we have created a plane crash. So we could say that by inventing cyber, we created cyber attacks. You must remember two things. First, cyber attacks are the evil of the modern world with which we have to live. Therefore, it is necessary to comply at the legal, organizational and technical levels.
Secondly, the press is talking more and more about cyberattacks. This does not mean that there were less of them before. The defense clearly needs to be strengthened. This is a truism. You don’t have to be an expert to know this.
Are you seeing real awareness of these risks?
Not quite, or rather, not yet. We must work on this on an ongoing basis, whether at the level of citizens or users in companies and administrations. However, I can say that there are several bodies in Morocco working to limit this modern evil, in particular the General Directorate for Information Systems Security (DGSSI), the General Directorate for National Security (DGSN), the National Judicial Police Brigade (BNPJ). ) and the State Ministry. National institutions are efficient and vigilant.
From a legislative point of view, Morocco is well equipped, but is it enough?
We still have a lot of work to do. Law 09-08 is not yet well known. We have made progress in recent years. This is evidenced by investigations by the National Telecommunications Regulatory Agency. In 2018, only 17% of respondents had heard of CNDP. This figure rose to 37% in 2019, then to 47% in 2020 and exceeded 50% in 2021. But above all, we must not give in to complacency. It means little. Knowing the CNDP does not mean understanding the intricacies of Law 09-08 and the protection of personal data. There is still a lot to be done. You must be able to manage the protection of personal data as a culture, a lifestyle, a reflex … We often say that “to live in a digital world, you must breathe data protection.”
How exactly is the work on changing Law 09-08 going, and what exactly will it change?
It’s pretty simple. It is necessary to be able to facilitate control a priori and strengthen it a posteriori. You cannot control everyone. The protection of personal data should be equated with civil behavior. And since we cannot control everyone, then the punishments, in case of violation, should be severe. In addition, respect for personal data and privacy should be extended at all levels and in all courses of study (primary, secondary and higher education).
It is also necessary to use all channels, be it associations, television, radio, social networks … Therefore, the future law should provide for the integration of everything that will make the protection of personal data a positive culture.
You accompanied the Ministry of Health on universal compulsory health insurance. Will a health center be established under the CNDP?
We really worked on this topic with the National Social Insurance Fund. We have adopted an “ecosystem” approach, which is to manage all the players at the same time, avoiding, as we say, “head in the wheel.”
In answer to your question, yes, we are in the process of forming a health sector team within the CNDP. There is a lot of work to be done and difficulties can arise at times. For the health sector, as for all other sectors, certain bad habits must be overcome. We are working on it. Cooperation with the Minister of Health is excellent. We hope that we can achieve a certain number of goals.
You have started several projects, in particular the reorganization of the CNDP. What projects are you currently working on?
We have several projects in the works, but the main one, in my opinion, is related to the continued training and development of our teams, which have great merit, because they are the ones who make the current changes, and often under great stress. It is not easy to become a flexible administration at the service of citizens, companies and government agencies. Moreover, we do not yet have all the necessary funds. In this regard, I want to pay tribute to them. We are also working on a revision of the law, as well as on preliminary discussions (video recorder, genomic information, blockchain, etc.). We are also working on simplifying and dematerializing procedures. We are also working to create a Mediterranean network of data protection experts. Many projects are under development!